asf-tooling opened a new issue, #1079:
URL: https://github.com/apache/tooling-trusted-releases/issues/1079
**ASVS Level(s):** L1
**Description:**
### Summary
Three custom response classes (TextResponse, ElementResponse, ShellResponse)
in `atr/web.py` specify only the mimetype parameter without explicitly
including the charset. These classes rely on Werkzeug's `get_content_type()`
method to automatically append `; charset=utf-8` to all text/* mimetypes. While
this produces correct headers at runtime, it creates a dependency on framework
implementation details rather than explicit application control.
### Details
The affected response classes are located at:
- `atr/web.py` line ~195 (TextResponse)
- `atr/web.py` line ~202 (ElementResponse)
- `atr/web.py` line ~207 (ShellResponse)
All three classes pass `mimetype` parameter to the parent Response class
without explicit charset specification, relying on implicit framework behavior
to append `; charset=utf-8`.
### Recommended Remediation
Replace the `mimetype` parameter with explicit `content_type` including
charset in all three response classes:
```python
class TextResponse(quart.Response):
def __init__(self, text: str, status: int = 200) -> None:
super().__init__(text, status=status, content_type="text/plain;
charset=utf-8")
class ElementResponse(quart.Response):
def __init__(self, element: htm.Element, status: int = 200) -> None:
super().__init__(str(element), status=status,
content_type="text/html; charset=utf-8")
class ShellResponse(quart.Response):
def __init__(self, text: str, status: int = 200) -> None:
super().__init__(text, status=status,
content_type="text/x-shellscript; charset=utf-8")
```
Effort: Low (3 one-line changes). Risk: None (zero runtime behavior change).
### Acceptance Criteria
- [ ] All three response classes explicitly specify `content_type` with
charset
- [ ] Existing functionality remains unchanged (no runtime behavior change)
- [ ] Unit tests verify correct Content-Type headers are set
### References
- Source reports: L1:4.1.1.md
- Related findings: None
- ASVS sections: 4.1.1
### Priority
Low
---
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
